Bugzilla – Bug 1194517
VUL-0: CVE-2022-0185: kernel-source: overflow bug in legacy_parse_param
Last modified: 2023-01-18 17:22:16 UTC
From: Will <willsroot@protonmail.com> Subject: [oss-security] Linux kernel: Heap buffer overflow in fs_context.c since version 5.1 There is a heap overflow bug in legacy_parse_param in which the length of d= ata copied can be incremented beyond the width of the 1-page slab allocated= for it. We currently have created functional LPE exploits against Ubuntu 2= 0.04 and container escape exploits against Google's hardened COS. The bug w= as introduced in 5.1-rc1 (https://github.com/torvalds/linux/commit/3e1aeb00= e6d132efc151dacc062b38269bc9eccc#diff-c4a9ea83de4a42a0d1bcbaf1f03ce35188f38= da4987e0e7a52aae7f04de14a05) and is present in all Linux releases since. As= of January 18th, this patch (https://git.kernel.org/pub/scm/linux/kernel/g= it/torvalds/linux.git/commit/?id=3D722d94847de29310e8aa03fcbdb41fc92c521756= ) fixes this issue. The bug is caused by an integer underflow present in fs/fs_context.c:legacy= _parse_param, which results in miscalculation of a valid max length. A boun= ds check is present at fs_context.c:551, returning an error if (len > PAGE_= SIZE - 2 - size); however, if the value of size is greater than or equal to= 4095, the unsigned subtraction will underflow to a massive value greater t= han len, so the check will not trigger. After this, the attacker may freely= write data out-of-bounds. Changing the check to size + len + 2 > PAGE_SIZE= (which the patch did) would fix this. Exploitation relies on the CAP_SYS_ADMIN capability; however, the permissio= n only needs to be granted in the current namespace. An unprivileged user c= an use unshare(CLONE_NEWNS|CLONE_NEWUSER) to enter a namespace with the CAP= _SYS_ADMIN permission, and then proceed with exploitation to root the syste= m.
openSUSE-SU-2022:0169-1: An update that solves 10 vulnerabilities and has 32 fixes is now available. Category: security (important) Bug References: 1065729,1071995,1154353,1154492,1156395,1167773,1176447,1176774,1177437,1190256,1191271,1191929,1192931,1193255,1193328,1193660,1193669,1193727,1193901,1193927,1194001,1194027,1194087,1194094,1194302,1194493,1194516,1194517,1194518,1194529,1194578,1194580,1194584,1194586,1194587,1194589,1194590,1194591,1194592,1194888,1194953,1194985 CVE References: CVE-2021-4083,CVE-2021-4135,CVE-2021-4149,CVE-2021-4197,CVE-2021-4202,CVE-2021-45485,CVE-2021-45486,CVE-2021-46283,CVE-2022-0185,CVE-2022-0322 JIRA References: Sources used: openSUSE Leap 15.3 (src): kernel-azure-5.3.18-150300.38.37.1, kernel-source-azure-5.3.18-150300.38.37.1, kernel-syms-azure-5.3.18-150300.38.37.1
SUSE-SU-2022:0169-1: An update that solves 10 vulnerabilities and has 32 fixes is now available. Category: security (important) Bug References: 1065729,1071995,1154353,1154492,1156395,1167773,1176447,1176774,1177437,1190256,1191271,1191929,1192931,1193255,1193328,1193660,1193669,1193727,1193901,1193927,1194001,1194027,1194087,1194094,1194302,1194493,1194516,1194517,1194518,1194529,1194578,1194580,1194584,1194586,1194587,1194589,1194590,1194591,1194592,1194888,1194953,1194985 CVE References: CVE-2021-4083,CVE-2021-4135,CVE-2021-4149,CVE-2021-4197,CVE-2021-4202,CVE-2021-45485,CVE-2021-45486,CVE-2021-46283,CVE-2022-0185,CVE-2022-0322 JIRA References: Sources used: SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src): kernel-azure-5.3.18-150300.38.37.1, kernel-source-azure-5.3.18-150300.38.37.1, kernel-syms-azure-5.3.18-150300.38.37.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
write up from qualys with exploit: https://www.openwall.com/lists/oss-security/2022/01/25/14
SUSE-SU-2022:0198-1: An update that solves 10 vulnerabilities and has 33 fixes is now available. Category: security (important) Bug References: 1065729,1071995,1154353,1154492,1156395,1167773,1176447,1176774,1177437,1190256,1191271,1191929,1192931,1193255,1193328,1193660,1193669,1193727,1193901,1193927,1194001,1194027,1194087,1194094,1194266,1194302,1194493,1194516,1194517,1194518,1194529,1194578,1194580,1194584,1194586,1194587,1194589,1194590,1194591,1194592,1194888,1194953,1194985 CVE References: CVE-2021-4083,CVE-2021-4135,CVE-2021-4149,CVE-2021-4197,CVE-2021-4202,CVE-2021-45485,CVE-2021-45486,CVE-2021-46283,CVE-2022-0185,CVE-2022-0322 JIRA References: Sources used: SUSE MicroOS 5.1 (src): kernel-default-5.3.18-150300.59.43.1, kernel-default-base-5.3.18-150300.59.43.1.150300.18.27.1 SUSE Linux Enterprise Workstation Extension 15-SP3 (src): kernel-default-5.3.18-150300.59.43.1, kernel-preempt-5.3.18-150300.59.43.1 SUSE Linux Enterprise Module for Live Patching 15-SP3 (src): kernel-default-5.3.18-150300.59.43.1, kernel-livepatch-SLE15-SP3_Update_12-1-150300.7.3.1 SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src): kernel-default-5.3.18-150300.59.43.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): kernel-docs-5.3.18-150300.59.43.1, kernel-obs-build-5.3.18-150300.59.43.1, kernel-preempt-5.3.18-150300.59.43.1, kernel-source-5.3.18-150300.59.43.1, kernel-syms-5.3.18-150300.59.43.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): kernel-64kb-5.3.18-150300.59.43.1, kernel-default-5.3.18-150300.59.43.1, kernel-default-base-5.3.18-150300.59.43.1.150300.18.27.1, kernel-preempt-5.3.18-150300.59.43.1, kernel-source-5.3.18-150300.59.43.1, kernel-zfcpdump-5.3.18-150300.59.43.1 SUSE Linux Enterprise High Availability 15-SP3 (src): kernel-default-5.3.18-150300.59.43.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:0197-1: An update that solves 22 vulnerabilities and has 59 fixes is now available. Category: security (important) Bug References: 1071995,1139944,1151927,1152489,1153275,1154353,1154355,1161907,1164565,1166780,1169514,1176242,1176536,1176544,1176545,1176546,1176548,1176558,1176559,1176940,1176956,1177440,1178270,1179211,1179424,1179426,1179427,1179599,1179960,1181148,1181507,1181710,1183534,1183540,1183897,1184209,1185726,1185902,1187541,1189126,1189158,1191271,1191793,1191876,1192267,1192507,1192511,1192569,1192606,1192845,1192847,1192877,1192946,1192969,1192987,1192990,1192998,1193002,1193042,1193169,1193255,1193306,1193318,1193349,1193440,1193442,1193660,1193669,1193727,1193767,1193901,1193927,1194001,1194087,1194094,1194302,1194516,1194517,1194529,1194888,1194985 CVE References: CVE-2020-27820,CVE-2020-27825,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-33098,CVE-2021-4001,CVE-2021-4002,CVE-2021-4083,CVE-2021-4135,CVE-2021-4149,CVE-2021-4197,CVE-2021-4202,CVE-2021-43975,CVE-2021-43976,CVE-2021-44733,CVE-2021-45485,CVE-2021-45486,CVE-2022-0185,CVE-2022-0322 JIRA References: Sources used: SUSE MicroOS 5.0 (src): kernel-default-5.3.18-24.99.1, kernel-default-base-5.3.18-24.99.1.9.46.1 SUSE Manager Server 4.1 (src): kernel-default-5.3.18-24.99.1, kernel-default-base-5.3.18-24.99.1.9.46.1, kernel-docs-5.3.18-24.99.1, kernel-obs-build-5.3.18-24.99.1, kernel-preempt-5.3.18-24.99.1, kernel-source-5.3.18-24.99.1, kernel-syms-5.3.18-24.99.1 SUSE Manager Retail Branch Server 4.1 (src): kernel-default-5.3.18-24.99.1, kernel-default-base-5.3.18-24.99.1.9.46.1, kernel-docs-5.3.18-24.99.1, kernel-preempt-5.3.18-24.99.1, kernel-source-5.3.18-24.99.1, kernel-syms-5.3.18-24.99.1 SUSE Manager Proxy 4.1 (src): kernel-default-5.3.18-24.99.1, kernel-default-base-5.3.18-24.99.1.9.46.1, kernel-docs-5.3.18-24.99.1, kernel-preempt-5.3.18-24.99.1, kernel-source-5.3.18-24.99.1, kernel-syms-5.3.18-24.99.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): kernel-default-5.3.18-24.99.1, kernel-default-base-5.3.18-24.99.1.9.46.1, kernel-docs-5.3.18-24.99.1, kernel-obs-build-5.3.18-24.99.1, kernel-preempt-5.3.18-24.99.1, kernel-source-5.3.18-24.99.1, kernel-syms-5.3.18-24.99.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): kernel-default-5.3.18-24.99.1, kernel-default-base-5.3.18-24.99.1.9.46.1, kernel-docs-5.3.18-24.99.1, kernel-obs-build-5.3.18-24.99.1, kernel-preempt-5.3.18-24.99.1, kernel-source-5.3.18-24.99.1, kernel-syms-5.3.18-24.99.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): kernel-default-5.3.18-24.99.1, kernel-default-base-5.3.18-24.99.1.9.46.1, kernel-docs-5.3.18-24.99.1, kernel-preempt-5.3.18-24.99.1, kernel-source-5.3.18-24.99.1, kernel-syms-5.3.18-24.99.1 SUSE Linux Enterprise Module for Live Patching 15-SP2 (src): kernel-default-5.3.18-24.99.1, kernel-livepatch-SLE15-SP2_Update_23-1-5.3.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): kernel-default-5.3.18-24.99.1, kernel-default-base-5.3.18-24.99.1.9.46.1, kernel-docs-5.3.18-24.99.1, kernel-obs-build-5.3.18-24.99.1, kernel-preempt-5.3.18-24.99.1, kernel-source-5.3.18-24.99.1, kernel-syms-5.3.18-24.99.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): kernel-default-5.3.18-24.99.1, kernel-default-base-5.3.18-24.99.1.9.46.1, kernel-docs-5.3.18-24.99.1, kernel-obs-build-5.3.18-24.99.1, kernel-preempt-5.3.18-24.99.1, kernel-source-5.3.18-24.99.1, kernel-syms-5.3.18-24.99.1 SUSE Linux Enterprise High Availability 15-SP2 (src): kernel-default-5.3.18-24.99.1 SUSE Enterprise Storage 7 (src): kernel-default-5.3.18-24.99.1, kernel-default-base-5.3.18-24.99.1.9.46.1, kernel-docs-5.3.18-24.99.1, kernel-obs-build-5.3.18-24.99.1, kernel-preempt-5.3.18-24.99.1, kernel-source-5.3.18-24.99.1, kernel-syms-5.3.18-24.99.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2022:0198-1: An update that solves 10 vulnerabilities and has 33 fixes is now available. Category: security (important) Bug References: 1065729,1071995,1154353,1154492,1156395,1167773,1176447,1176774,1177437,1190256,1191271,1191929,1192931,1193255,1193328,1193660,1193669,1193727,1193901,1193927,1194001,1194027,1194087,1194094,1194266,1194302,1194493,1194516,1194517,1194518,1194529,1194578,1194580,1194584,1194586,1194587,1194589,1194590,1194591,1194592,1194888,1194953,1194985 CVE References: CVE-2021-4083,CVE-2021-4135,CVE-2021-4149,CVE-2021-4197,CVE-2021-4202,CVE-2021-45485,CVE-2021-45486,CVE-2021-46283,CVE-2022-0185,CVE-2022-0322 JIRA References: Sources used: openSUSE Leap 15.4 (src): dtb-aarch64-5.3.18-150300.59.43.1, kernel-preempt-5.3.18-150300.59.43.1 openSUSE Leap 15.3 (src): dtb-aarch64-5.3.18-150300.59.43.1, kernel-64kb-5.3.18-150300.59.43.1, kernel-debug-5.3.18-150300.59.43.1, kernel-default-5.3.18-150300.59.43.1, kernel-default-base-5.3.18-150300.59.43.1.150300.18.27.1, kernel-docs-5.3.18-150300.59.43.1, kernel-kvmsmall-5.3.18-150300.59.43.1, kernel-obs-build-5.3.18-150300.59.43.1, kernel-obs-qa-5.3.18-150300.59.43.1, kernel-preempt-5.3.18-150300.59.43.1, kernel-source-5.3.18-150300.59.43.1, kernel-syms-5.3.18-150300.59.43.1, kernel-zfcpdump-5.3.18-150300.59.43.1
SUSE-SU-2022:0289-1: An update that solves 10 vulnerabilities and has 9 fixes is now available. Category: security (important) Bug References: 1071995,1184209,1191271,1193255,1193660,1193669,1193727,1193767,1193901,1193927,1194001,1194087,1194094,1194302,1194516,1194517,1194529,1194888,1194985 CVE References: CVE-2021-4083,CVE-2021-4135,CVE-2021-4149,CVE-2021-4197,CVE-2021-4202,CVE-2021-44733,CVE-2021-45485,CVE-2021-45486,CVE-2022-0185,CVE-2022-0322 JIRA References: Sources used: SUSE Linux Enterprise Module for Realtime 15-SP2 (src): kernel-rt-5.3.18-68.1, kernel-rt_debug-5.3.18-68.1, kernel-source-rt-5.3.18-68.1, kernel-syms-rt-5.3.18-68.1 SUSE Linux Enterprise Micro 5.0 (src): kernel-rt-5.3.18-68.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:0288-1: An update that solves 9 vulnerabilities, contains 7 features and has 30 fixes is now available. Category: security (important) Bug References: 1065729,1071995,1154353,1154492,1156395,1167773,1176447,1176774,1177437,1190256,1191271,1192931,1193255,1193328,1193669,1193727,1193767,1193901,1193927,1194001,1194027,1194302,1194493,1194516,1194517,1194518,1194529,1194580,1194584,1194586,1194587,1194589,1194590,1194591,1194592,1194888,1194953,1194985,1195062 CVE References: CVE-2021-4083,CVE-2021-4135,CVE-2021-4149,CVE-2021-4197,CVE-2021-4202,CVE-2021-44733,CVE-2021-46283,CVE-2022-0185,CVE-2022-0322 JIRA References: SLE-13294,SLE-13533,SLE-14777,SLE-15172,SLE-16683,SLE-23432,SLE-8464 Sources used: SUSE Linux Enterprise Module for Realtime 15-SP3 (src): kernel-rt-5.3.18-150300.71.1, kernel-rt_debug-5.3.18-150300.71.1, kernel-source-rt-5.3.18-150300.71.1, kernel-syms-rt-5.3.18-150300.71.1 SUSE Linux Enterprise Micro 5.1 (src): kernel-rt-5.3.18-150300.71.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
released
Created attachment 856734 [details] poc.c as real root: su # modprobe 9p # gcc -o poc poc.c # ./poc will crash the kernel before the fix and should just retrun after the fix. (It trigger the kernel buffer overflow that is being exploited.)